Your boss brought you his iPhone and said "make it work!". And so with no budget and no thought to security, you did. Now that Traveler's up and running, there are a lot more unsecured end points on your network. Explore different options to secure Traveler in this presentation from Simplified Technology Solutions' Darren Duke.

1. Oh yes, that Pentium 90 under your desk is running a
business critical app. Time to look at it.
Darren Duke – Technical Deus - STS – June 2013

2. About me
 AKA my favorite slide
 Started with “Lotus Notes” in R3
 Yes, really….R3
 Founder of STS based in Atlanta
 Sometime blogger, ranting Tweeter, ex-
host of This Week In Lotus, Speaker,
Fixture at “Ask the PM’s”
 I am obnoxious as obnoxiousness is
usually required to elicit answers from IBM
 “Experience is the name one gives to their
mistakes” – Oscar Wilde

3. Traveler, like BES = top
down
 Your CEO told your boss to make his
iPad work
 Your boss told you to make the CEO’s,
and now also *his* as he needs one “for
support”, iPads work
 You got no budget and an old desktop
server or VM and installed Traveler
 After the first email, this server was
business critical

4. Now everyone has one
 Once word was out…..
 You became very popular

5. iOS Devices are for
“work”….
 Hence the executives desire to get them
to work
 But we all know the real reason…

6. Security Options
 None. Erm….Whiskey Tango Foxtrot?
 SSL on Domino
 SSL on IHS in front of Domino (new in 9)
 Reverse Proxy
 IBM Mobile Connect
 Certificate authentication**
 You can always go back to BES ;)

7. Traveler is “free”
 Only if you don’t secure it
 How much did your org spend on BES?
 Server, CALs, Devices, Support….
 Why do you not treat your Traveler as
you did you BES?
 Spend money and do it right and secure it
 It’ll still come out cheaper than your BES did

8. A word about DNS and SSL
 Whatever solution you choose to secure
your Traveler server….
 Make sure DNS and protocol is the same
inside and out
 my_traveler_server.mycomany.com
 If you use SSL on the outside, you must use it
on the inside too
 That means you may use more than one
solution
 Outside LAN : IHS + SSL + Reverse Proxy
 Inside LAN : IHS + SSL

9. None – aka the default
 As the great Paul Mooney once said:
 “Port 80 on Traveler is *very* unwise”
 Your passwords (and everything else) is
going across the internet in clear text
 But…..
 it scales well - joke
 Still, I would not do this on my servers. Ever.
 Even the installer warns you this is a bad
idea
 Free
 Until you are hacked

10. SSL on Domino
 Everything is secure if you did it right
 Redirect all traffic from 80 to SSL (443) in the
server doc, ports
 Self Signed SSL can be used
 But cause issues on some (all?) Androids
 You can get around this by side loading or
maybe the via the Google Play store now
 Domino SSL scaling may cause issues
 Domino still “surfaced” on the internet
 Reasonably cheap

11. SSL on IHS in front of
Domino
 New in 9.0, install IBM HTTP Server (IHS)
 Installed as option with Domino, on same server
as Domino
 Windows only for now, needs 9.0 IF1
○ PMR if you want other OSes to get this
 Will handle SSL
 Fixes Domino scaling with SSL
 “Allows” Domino HTTP to do TLS
 IHS now surface to the internet
 Reasonably cheap

12. Reverse Proxy
 A proxy (like Websphere Edge Server,
F5 or Apache) in the DMZ forwards
traffic to Traveler in the LAN/DMZ
 Can also be done with IHS, not sure
about the licensing of that
 Domino has no surface on the internet
 Proxy can handle SSL
 Can be cheap, or expensive

13. IBM Mobile Connect
 IBM’s “headless VPN” solution
 Think of it like a very secure reverse proxy
 Can be used for iNotes, Connections
and Quickr too
 Out of the box (mostly) support for
Traveler
 No messy http.conf or domino.conf files
 Maybe relatively cheap based on current
license you have

14. IBM Mobile Connect Licensing
 If you have Domino Enterprise Server
licensing
 Full PVU or CEO
 NOT Express
 You get the CAL for IMC as an entitlement
 Will only need to license IMC PVUs
 None enterprise
 You’ll need clients and PVUs

15. All the previous slides were
server security
 What about users?
 Usually the weakest link
 Options
 Complex internet password
 Internet Password Lockout
 Certificate based authentication

16. Password Security
 Your weakest link if you install Traveler
correctly
 Complex passwords are good for you
 Suck for your user
 Password changes are difficult to do on
a device
 There is a possible solution…

17. Go password-less
 Certificate based authentication
 Well, on iOS devices
 Android is on the Traveler road map (PMR it)
 Really a function of the Domino HTTP server
and the device
 This is much easier with an MDM
 Pushing certificates is easier with a MDM
 You have to get the cert on the device
 Make sure users have device
passwords!!!

18. Conclusion
 You may decide to use multiple methods
 Domino + IHS + IMC + Certificates
 Yes, it can get complex
 Yes, it can be very, very secure
 Almost BES like, but not quite
 You may want to evaluate MDM’s before
attempting a certificate roll out
 Switching from non-SSL to SSL is “difficult”
 A secure, HA Traveler platform can be
expensive to implement
 But hey, so was BES

19. Q&A and links
 http://blog.darrenduke.net
 Mostly useful stuff, some rants
 http://www.simplified-tech.com
 No rants, Lisa won’t let me
 https://twitter.com/darrenduke
 Mostly rants, some useful stuff
 http://geldreddotcom.files.wordpress.com/2013/05/choosing-a-
mdm-presentation.pdf
 choosing an MDM
 I like DesktopCentral for the record
 Never allow Anonymous access to the Domino Directory…..ever. Never.